myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leonardo Uribe (JIRA)" <>
Subject [jira] Commented: (MYFACES-1879) Problems with myfaces when java2 security is enabled
Date Fri, 20 Jun 2008 02:37:45 GMT


Leonardo Uribe commented on MYFACES-1879:

If I understand, you are proposing to create a method in shared for obtain the current classLoader,
making easier the security management with java2 security?

Just propose a patch and some developer surely will check it and commit it. 

Thanks for your interest.

> Problems with myfaces when java2 security is enabled
> ----------------------------------------------------
>                 Key: MYFACES-1879
>                 URL:
>             Project: MyFaces Core
>          Issue Type: Bug
>    Affects Versions: 1.2.3
>            Reporter: Michael Concini
> When running MyFaces 1.2 on an application server with java2 security turned on, a user
can receive an AccessControlException from several locations within the code, in some cases
preventing the application from working in the environment. 
> There are several places in the myfaces code that should be updated to include a doPriv
when java2 security is on.  Specifically in locations where the code is executing a call to
Thread.currentThread().getContextClassLoader(), as well as in the JspStateManagerImpl's deserializeView()
> for example (in the classloader case):
> if (System.getSecurityManager() != null) {
> 	try {
> 		Object cl = AccessController.doPrivileged(new PrivilegedExceptionAction() {
> 				public Object run() throws PrivilegedActionException {
> 					return Thread.currentThread().getContextClassLoader();
> 				}
> 		});
> 		return (ClassLoader) cl;
> 	} catch (PrivilegedActionException pae) {
> 		throw new FacesException(pae);
> 	}
> }else{
> 	return Thread.currentThread().getContextClassLoader();
> }
> If its agreed that the change should be implemented, I'd be happy to perform the changes
myself and supply a patch.  I also thought that it might make sense to, at least for the ClassLoader
lookup, create a method in ClassUtils called getContextClassloader that could be called elsewhere
for efficiency's sake. 

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message